<!-- Navbar -->
<div class="w3-top">
  <div class="w3-bar w3-white w3-card w3-large navbar-container">
    <div class="logo-container">
      <a href="/">
          <img src="static/images/Logo.svg" alt="Logo" class="w3-bar-item logo" style="width:165px; height:auto;">
        </a>
    </div>
    <div class="nav-links-container">
      <a href="/" class="w3-bar-item w3-button w3-hide-small w3-padding-large w3-white w3-hover-theme w3-show" style="font-size: small;">Home</a>
      <a href="/about" class="w3-bar-item w3-button w3-hide-small w3-padding-large w3-white w3-hover-theme" style="font-size: small;">About</a>
      <a href="/resources" class="w3-bar-item w3-button w3-hide-small w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Resources</a>
      <a href="/archive" class="w3-bar-item w3-button w3-hide-small w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Blog Archive</a>
      <a href="/threat-intel" class="w3-bar-item w3-button w3-hide-small w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Threat Intelligence</a>
    </div>
    <!-- Hamburger menu -->
    <a class="w3-bar-item w3-button w3-right w3-hide-large w3-hide-medium" href="javascript:void(0)" onclick="w3_open()">&#9776;</a>
  </div>
</div>
  
<!-- Navbar on small screens (remove the w3-hide-large class if you want it to also appear on large screens) -->
<nav class="w3-sidebar w3-bar-block w3-white w3-hover-theme w3-card w3-animate-left w3-hide-medium w3-hide-large" style="display:none" id="mySidebar">
  <div class="sidebar-content">
    <div class="links-container">
      <a href="/" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Home</a>
      <a href="/about" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme" style="font-size: small;">About</a>
      <a href="/resources" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Resources</a>
      <a href="/archive" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Blog Archive</a>
      <a href="/threat-intel" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme" style="font-size: small;">Threat Intelligence</a>
    </div>
    <a href="javascript:void(0)" onclick="w3_close()" class="w3-bar-item w3-button w3-padding-large w3-white w3-hover-theme close" style="font-size: small;">Close ×</a>
  </div>
</nav>


<script>
function w3_open() {
  document.getElementById("mySidebar").style.display = "block";
}
function w3_close() {
  document.getElementById("mySidebar").style.display = "none";
}
</script>

</body>
</html>
    

<!--Header-->

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> <!--Added chrome=1 to utilize Google Chrome Frame in IE-->
    <title>Through the Looking Glass: A Deep Dive into Linux Ransomware Research - signalblur</title> <!--Dynamically render the title based on post, it's good to have a unique title for each page-->
    <!--Responsive design parameters-->
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <!--Added shrink-to-fit=no to handle some responsive design issues on iOS-->
    <!--CSS Links-->
    <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
    <link rel="stylesheet" href="static/css/styles.css">
    <link rel="stylesheet" href="static/css/post.css">
    
    <!--SEO Meta tags-->
    <meta name="description" content="Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscap..." />
    <link rel="shortcut icon" type="image/x-icon" href="static/images/favicon.ico">
    <link rel="canonical" href="https://www.signalblur.io/through-the-looking-glass" />

    <!--Referrer policy-->
    <meta name="referrer" content="no-referrer-when-downgrade" />

    <!--Open Graph meta tags-->
    <meta property="og:site_name" content="signalblur" />
    <meta property="og:type" content="website" />
    <meta property="og:title" content="Through the Looking Glass: A Deep Dive into Linux Ransomware Research" />
    <meta property="og:description" content="Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscap..." />
    <meta property="og:url" content="https://www.signalblur.io/through-the-looking-glass" />
    <meta property="og:image" content="static/images/linux-ransomware.png" />

    <!--Twitter meta tags-->
    <meta name="twitter:card" content="summary_large_image" />
    <meta name="twitter:title" content="Through the Looking Glass: A Deep Dive into Linux Ransomware Research" />
    <meta name="twitter:description" content="Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscap..." />
    <meta name="twitter:url" content="https://www.signalblur.io/through-the-looking-glass" />
    <meta name="twitter:image" content="static/images/linux-ransomware.png"> <!--Consider using dynamic image path as in og:image-->
    <meta name="twitter:site" content="@signalblur" />

    <!--OG Image dimensions-->
    <meta property="og:image:width" content="1920" />
    <meta property="og:image:height" content="1152" />
    
    <!--Schema.org JSON-LD-->
    <script type="application/ld+json">
    {
        "@context": "https://schema.org",
        "@type": "WebSite",
        "publisher": {
            "@type": "Organization",
            "name": "signalblur",
            "url": "https://www.signalblur.io/",
            "logo": {
                "@type": "ImageObject",
                "url": "https://signalblur.io/static/images/linux-ransomware.png"
            }
        },
        "url": "https://www.signalblur.io/through-the-looking-glass", <!--Add dynamic part of URL-->
        "image": {
            "@type": "ImageObject",
            "url": "https://signalblur.io/static/images/Logo-Head.png",
            "width": 1920,
            "height": 1152
        },
        "mainEntityOfPage": "https://www.signalblur.io/through-the-looking-glass", <!--Add dynamic part of URL-->
        "description": "Making security monitoring easier...ish"
    }
    </script>
  </head>
  <body>

    <!-- start cover -->
    <div class="cover-container">
      <div class="cover-image-wrapper" style="position: relative;">
        <img src="static/images/linux-ransomware.png" alt="Cover Image" class="cover-image" style="position: relative;">
        <div class="dark-overlay" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; background-color: rgba(0, 0, 0, 0.5);"></div>
        <div class="cover-content w3-stretch w3-padding-top-32" style="position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center;">
          <h1 class="title-text w3-text-white">Through the Looking Glass: A Deep Dive into Linux Ransomware Research</h1>
          <p class="author-text w3-text-white"> David Burkett | July 17, 2023</p>
        </div>
      </div>
    </div>

  <!-- First Grid -->
    <div class="w3-row-padding w3-container">
      <div class="w3-content">
        <div class="w3-auto">
          <div class="w3-row-padding w3-padding-32">
            <div class="w3-stretch">
              <h1>Through the Looking Glass: A Deep Dive into Linux Ransomware Research</h1>
<p>Over the past few weeks, I have done a deep dive into the public research available on Linux Ransomware, seeking to understand the broader landscape as there is an over emphasis on the Mirai botnet. I discovered that although there is an abundance of <em>outstanding</em> whitepapers and research pieces, they are distributed across various blogs, making them challenging to assemble. Adding to the complexity, most samples are typically only accessible via a paid service like VirusTotal.</p>
<p>As a fellow community researcher, I recognized that there is a need to make this research more accessible, thus the write-up.</p>
<p>The journey to acquiring all the various samples accounted for a significant portion of the time spent on this blog, attesting to the very issue we're trying to address. In a field where community involvement is vital, it's unfortunate that these samples are often locked behind paid services. With this blog, I aim to challenge this dynamic and make these valuable resources more readily available to the public via accessible services such as those offered by <a href="https://abuse.ch">abuse.ch</a>.</p>
<p><img alt="Sandfly Security Logo" src="static/images/sandfly-2.png" /></p>
<blockquote>
<p>This blog post is proudly sponsored by Sandfly Security. Visit their website at https://sandflysecurity.com/. It's not by accident that I approached Sandfly Security to sponsor this post; I firmly believe in their product and confidently endorse it as one of the market's premier Linux security monitoring tools.</p>
<p>In terms of detection capabilities for Linux, no existing EDR comes close to Sandfly. The amount of telemetry data Sandfly can pull far surpasses other competitors, and its ability to support virtually all known CPU architectures and Linux flavors, including rolling releases like Arch Linux, truly sets it apart.</p>
<p>For further insight into Sandfly's powerful capabilities, I invite you to explore a previous post I've written on the product: <a href="https://www.signalblur.io/leveling-up-your-linux-security-monitoring">Leveling Up Your Linux Security Monitoring</a>. The incident handlers over at SANS have also recently shared their thoughts on Sandfly: <a href="https://isc.sans.edu/diary/Sandfly+Security/29998/">Sandfly Security by SANS</a>.</p>
</blockquote>
<h2>Understanding Linux Ransomware and its Impact</h2>
<p>The effects of a ransomware attack can be devastating. Beyond the direct financial cost of the ransom itself, victims often suffer significant data loss, downtime, and reputational damage. For businesses, this can result in loss of customer trust and potentially massive financial losses. For individuals, it can mean the loss of irreplaceable personal files and data.</p>
<p>Ransomware's primary job is to encrypt files on the targeted system, rendering them inaccessible to the user. Modern ransomware uses strong encryption algorithms, making it nearly impossible to recover the files without the unique decryption key held by the attacker.</p>
<p>Linux servers themselves make quite appealing targets for modern threat actors as they are typically what run critical operations within a business as well as databases containing some of the more sensitive organization secrets. Now that threat actors are also threatening to releasae the data if they are not paid (IE: maybe you have great backups and can recover), you can see why a Linux server may make a nice target.</p>
<h2>Examining the Linux Ransomware Landscape</h2>
<p>During my research, I quickly realized there are two major categories: those that target hypervisors and the related VM files, and more traditional forms that target the host server itself.</p>
<p>This is often a distinction that isn't made very clear, however it does have some major implications, namely when it comes to detecting and responding to the activity involved.</p>
<h3>Hypervisors 101: Establishing Context for Ransomware Techniques</h3>
<p>In the world of virtualization, hypervisors play an essential role. These act as the software, firmware, or hardware components that create and manage virtual machines (VMs) – or servers that share the same physical hardware. Depending on how they interface with the underlying system, hypervisors are often classified as Tier 1 or Tier 2.</p>
<h4>Tier 1 Hypervisors</h4>
<p>Also known as "bare-metal" hypervisors, Tier 1 hypervisors interact directly with the system hardware. They don't require an underlying operating system to function, instead effectively serving as the operating system for the server.</p>
<p>VMware's ESXi is a prime example of a Tier 1 hypervisor that is installed straight onto the server.</p>
<h4>Tier 2 Hypervisors</h4>
<p>In contrast, Tier 2 hypervisors, often referred to as "hosted" hypervisors, and they operate on top of an existing operating system, like any other software application. In this scenario, the underlying operating system is known as the "host," and the VMs' operating systems are referred to as "guests."</p>
<p>Oracle's VirtualBox is a well-known Tier 2 hypervisor that is commonly used on local systems for testing.</p>
<h3>Hypervisor-Focused Attacks</h3>
<p>A notable example of hypervisor-targeting ransomware is RedAlert. As I mentioned earlier, instead of executing a binary on the underlying virtual machines (Linux and Windows servers for example), RedAlert's crew attacks the hypervisor itself (VMWare eSXI). <strong>This matters because your Linux server logs/EDR type tooling will <em>NOT</em> be able to see this activity.</strong></p>
<p>As <a href="https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/">BleepingComputer</a> noted, the ransomware zeroes in on specific file types associated with VMware ESXi virtual machines: these include log files, swap files, virtual disks, and memory files, among others. When encrypting files, the ransomware appends the .crypt[number] extension to the file names of the encrypted files.</p>
<blockquote>
<p><strong>Targeted File Extensions</strong></p>
<p>When encrypting files, the ransomware will only target files associated with VMware ESXi virtual machines, including log files, swap files, virtual disks, and memory files, as listed below.</p>
<p><code>.log
.vmdk
.vmem
.vswp
.vmsn</code> </p>
<p>In the sample analyzed by BleepingComputer, the ransomware would encrypt these file types and append the .crypt[number] extension to the file names of encrypted files.
<strong>Source Data:</strong> <a href="https://www.bleepingcomputer.com/news/security/new-redalert-ransomware-targets-windows-linux-vmware-esxi-servers/">BleepingComputer Article</a></p>
</blockquote>
<p><strong>Hypervisor Focused Families</strong></p>
<ul>
<li>RedAlert (esxcli)         <strong>SHA256:</strong> 039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09</li>
<li>Conti                     <strong>SHA256</strong>: 8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201</li>
<li>BlackBasta                <strong>SHA256:</strong> 96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be</li>
<li>Sodinokibi/REvil          <strong>SHA256:</strong> a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd</li>
<li>BlackMatter/DarkSide      <strong>SHA256:</strong> 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502</li>
<li>Defray777/RansomEXX       <strong>SHA256:</strong> cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849</li>
<li>HelloKitty/ViceSociety    <strong>SHA256:</strong> 556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed</li>
<li>Royal                     <strong>SHA256:</strong> b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c</li>
<li>BlackSuit                 <strong>SHA256:</strong> 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e</li>
<li>RTM Locker                <strong>SHA256:</strong> d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0</li>
</ul>
<h4>Detection Strategies</h4>
<ul>
<li>Ensure your eSXI servers are logging to your SIEM, and alert on <em>any</em> <code>SSH</code> attempt whether it passes or fails. Having <code>SSH</code> enabled on the eSXI host is typically bad practice, however if you have to allow it, ensure the organization baselines what networks are the source of the traffic.</li>
<li>Alert on network traffic over port 22 either via network metadata in the SIEM or via a Network Intrusion Detection System (NIDS) such as <a href="https://docs.securityonion.net/en/2.3/">SecurityOnion</a>.</li>
<li>If running SecurityOnion, taking advantage of <a href="https://docs.securityonion.net/en/2.3/strelka.html">Strelka</a> to run YARA signatures across the files traversing the organization network.</li>
</ul>
<hr />
<h3>Traditional Host Targeting</h3>
<p>These you can think of that is more similar to a traditional Windows Ransomware binary that executes on the host where you may have some traditional visibility in place.</p>
<ul>
<li>Hive                      <strong>SHA256:</strong> 713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771</li>
<li>GonnaCry                  <strong>SHA256:</strong> f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac</li>
<li>Erebus                    <strong>SHA256:</strong> 0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f</li>
<li>eChOraix/QNAPCrypt        <strong>SHA256:</strong> cc112184b17d65229ce20487d98a3751dceb3efbee7bf70929a35b66416ae248</li>
<li>Cylance Ransomware        <strong>SHA256:</strong> d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c</li>
<li>Polaris                               <strong>SHA256:</strong> e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9</li>
</ul>
<h4>Detection Strategies</h4>
<p>One common disappointment in many technical write-ups about Linux-based malware, including ransomware, is the overemphasis and focus on reverse-engineering the malicious binary. This often overshadows crucial aspects such as how was the malware delivered? Once the binary was on disk, what method was used to execute the binary?</p>
<p>This was a big place of disappointment. That said as you'd probably guessed, most of the initial access that I was able to identify involved the exploitation of some sort of RCE of a service that is exposed to the internet. With this information we can form a few differing detection hypothesis:</p>
<ul>
<li>Exploiting an RCE of an application exposed to the internet will likely spawn some abnormal child processes. Identify the process names of your applications and their associated database processes and baseline which child processes are normal, and what the normal CLI arguments are. A detection to the tune of <code>parent.process:$APP_Processname | child.process:$Any_Process_Not_In_Normal_Baseline.</code> This visibility is provided in the built in logging of Linux or through most modern 3rd party security monitoring tools.</li>
<li>The above detection method is likely also a good idea to apply to your webserver (<code>caddy</code>, <code>nginx</code>, <code>apache2</code>, <code>etc</code>) for the same purpose.</li>
<li><a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf">VMWare put out a <em>wonderful</em> set of research around Linux malware</a> that confirmed something I've always had a hunch was true, but never had data to actually back the claim up, in that <em>MOST</em> legitimate Linux software is unpacked, which should make any packed binary executing on a linux server in your environment worth looking at and alerting on. You can identify this through tooling that may capture a binaries entropy, or through the use of YARA rules identifying packed <code>ELF</code> binaries that contain packers like <code>UPX</code></li>
</ul>
<p><img alt="Linux Malware Data" src="static/images/linux-ransom.png" /></p>
<h2>Conclusion</h2>
<p>Ultimately digging into Linux Ransomware was illuminating. The state of linux malware research has such a heavy emphasis on Coinminers that I was honestly surprised with the amount of Ransomware out there that impacts Linux. It was also surprising to see that most of the research I found identified Ransomware targeting Linux appears to be primarily around attacking the Linux VM's at the HyperVisor level making it essentially invisible to your EDR tooling and logging alone - which I think would be a surprise to many. A key takeaway I recommend - <strong><em>send your hypervisor logs to your SIEM and build those detectors!!!</em></strong></p>
<h2>YARA Signatures</h2>
<p>Here are a list of YARA signatures I was able to identify and find for the Ransomware discussed in this article:</p>
<h3>Generic eSXI based Ransomware</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">eSXI_Ransomware</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file DarkSide_BlackMatter&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">DarkSide_BlackMatter_hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502&quot;</span>
<span class="w">      </span><span class="n">HelloKitty_hash2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed&quot;</span>
<span class="w">      </span><span class="n">Conti_hash3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">a1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Unable To Get Process List&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">a2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::esxi_utils::get_process_list&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">a3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::master_proc::process_file_encryption&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">a4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::file_encrypter::process_file&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">a5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;execvp failure&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">      </span><span class="o">$</span><span class="n">e1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">e2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">e3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli --formatter=csv&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">e4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;error encrypt: </span><span class="si">%s</span><span class="s2"> rename back:</span><span class="si">%s</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">e5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;vm process kill --type=force&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">      </span><span class="o">$</span><span class="n">r1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Download TOR Browser&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;We offer you to purchase special decryption software&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Using silent mode, if you on esxi - stop VMs manualy&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;File [</span><span class="si">%s</span><span class="s2">] was encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;File [</span><span class="si">%s</span><span class="s2">] was NOT encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot; without --path encrypts current dir&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;All of your files are currently encrypted by CONTI strain&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DON&#39;T TRY TO IGNORE&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DONT&#39;T TRY TO RECOVER&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">6000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">2</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>RedAlert</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">RedAlert</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file RedAlert&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli --formatter=csv&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;vm process list | tail -n +2&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Run command for stop all running VM`s.&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;vm process kill&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;# ATTENTION the argument given first will be used for target(file or path)&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;search and encryption will include subdirectories&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Download TOR Browser&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s10</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;[info] Execution time check: </span><span class="si">%f</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Encryption is reverssible process&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s15</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Run command for stop all running VM`s&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s16</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;[info] File: </span><span class="si">%s</span><span class="s2">/</span><span class="si">%s</span><span class="s2">, begin encryption&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s17</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Don&#39;t modify contents of the encrypted files&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s18</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;We offer you to purchase special decryption software, payment includes decryptor, key for it and erasure of stolen data&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s19</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DumpHex&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s20</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;On our webpage you will be able to purchase decryptor, chat with our support and decrypt few files for free&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">1000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">5</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="nx">https</span><span class="p">:</span><span class="c1">//github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/ransomware/Linux.Ransomware.RedAlert.yara**</span>

<span class="nx">rule</span><span class="w"> </span><span class="nx">Linux_Ransomware_RedAlert</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">tc_detection</span><span class="w"> </span><span class="nx">malicious</span>
<span class="p">{</span>
<span class="w">    </span><span class="nx">meta</span><span class="p">:</span>
<span class="w">        </span><span class="nx">author</span><span class="w">              </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;ReversingLabs&quot;</span>

<span class="w">        </span><span class="nx">source</span><span class="w">              </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;ReversingLabs&quot;</span>
<span class="w">        </span><span class="nx">status</span><span class="w">              </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;RELEASED&quot;</span>
<span class="w">        </span><span class="nx">sharing</span><span class="w">             </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;TLP:WHITE&quot;</span>
<span class="w">        </span><span class="nx">category</span><span class="w">            </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;MALWARE&quot;</span>
<span class="w">        </span><span class="nx">malware</span><span class="w">             </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;REDALERT&quot;</span>
<span class="w">        </span><span class="nx">description</span><span class="w">         </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;Yara rule that detects RedAlert ransomware.&quot;</span>

<span class="w">        </span><span class="nx">tc_detection_type</span><span class="w">   </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;Ransomware&quot;</span>
<span class="w">        </span><span class="nx">tc_detection_name</span><span class="w">   </span><span class="p">=</span><span class="w"> </span><span class="s">&quot;RedAlert&quot;</span>
<span class="w">        </span><span class="nx">tc_detection_factor</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="mi">5</span>
<span class="w">    </span><span class="nx">strings</span><span class="p">:</span>

<span class="w">        </span><span class="err">$</span><span class="nx">encrypt_files_p1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="mi">41</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">53</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">81</span><span class="w"> </span><span class="nx">EC</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span>
<span class="w">            </span><span class="mi">89</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C5</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">F8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">89</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="nx">B4</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">D</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">F6</span><span class="w"> </span><span class="mi">7</span><span class="nx">F</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span>
<span class="w">            </span><span class="mi">81</span><span class="w"> </span><span class="nx">FE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">97</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">81</span><span class="w"> </span><span class="nx">FE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">97</span>
<span class="w">            </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F0</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="nx">D3</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">D2</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="nx">F3</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">6</span><span class="nx">B</span><span class="w"> </span><span class="nx">C8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">81</span><span class="w"> </span><span class="nx">FE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">77</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">D</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F4</span><span class="w"> </span><span class="mi">41</span>
<span class="w">            </span><span class="nx">BD</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="nx">BC</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">ED</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">D</span><span class="w"> </span><span class="mi">63</span><span class="w"> </span><span class="nx">FD</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">AF</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span>
<span class="w">            </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">ED</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">FE</span>
<span class="w">            </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">B6</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">F6</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">D2</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">63</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E2</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="nx">E0</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">01</span><span class="w"> </span><span class="mi">64</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="nx">C5</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">6</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">9</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">BC</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DE</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span>
<span class="w">            </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">63</span><span class="w"> </span><span class="mi">6</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">64</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">AF</span>
<span class="w">            </span><span class="mi">6</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="nx">B8</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">B9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">        </span><span class="err">$</span><span class="nx">encrypt_files_p2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="nx">C0</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span>
<span class="w">            </span><span class="mi">15</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="nx">D0</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span>
<span class="w">            </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">38</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">51</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="nx">D0</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">6</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">8</span><span class="nx">C</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span>
<span class="w">            </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EE</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="nx">C0</span>
<span class="w">            </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">B6</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">F6</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">D2</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span>
<span class="w">            </span><span class="mi">63</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">B4</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">BC</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="mi">31</span>
<span class="w">            </span><span class="nx">D2</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E1</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">01</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">D8</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">1</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E2</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="nx">E0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="nx">FF</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">01</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">F6</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="nx">BC</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">A</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">F8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">B0</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="nx">D8</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">88</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">6</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">39</span>
<span class="w">            </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">8</span><span class="nx">C</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B6</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">81</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">5</span><span class="nx">B</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">E</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">F</span><span class="w"> </span><span class="nx">C3</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">        </span><span class="err">$</span><span class="nx">find_files_p1</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="mi">41</span><span class="w"> </span><span class="mi">57</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">53</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">EC</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">88</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">8</span><span class="nx">A</span><span class="w"> </span><span class="nx">BC</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">24</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">F2</span><span class="w"> </span><span class="nx">AE</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="nx">E7</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="nx">D1</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">71</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">38</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C2</span><span class="w"> </span><span class="mi">5</span><span class="nx">B</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span>
<span class="w">            </span><span class="mi">5</span><span class="nx">E</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">F</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">6</span><span class="nx">B</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B6</span><span class="w"> </span><span class="mi">4</span><span class="nx">B</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EA</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">B</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">80</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span>
<span class="w">            </span><span class="nx">F2</span><span class="w"> </span><span class="nx">AE</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">29</span><span class="w"> </span><span class="nx">C8</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">3</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">76</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">3</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E2</span>
<span class="w">            </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">B</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">1</span><span class="nx">C</span><span class="w"> </span><span class="mi">34</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EE</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">7</span><span class="nx">B</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="nx">C6</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B6</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span>
<span class="w">            </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">        </span><span class="err">$</span><span class="nx">find_files_p2</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">04</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="nx">E8</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">88</span>
<span class="w">            </span><span class="nx">F8</span><span class="w"> </span><span class="nx">F2</span><span class="w"> </span><span class="nx">AE</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">CB</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="nx">D3</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DE</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">6</span><span class="nx">B</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EA</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EA</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DE</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">B</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">1</span><span class="nx">C</span><span class="w"> </span><span class="mi">34</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EA</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span>
<span class="w">            </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">7</span><span class="nx">B</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EE</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">0</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">44</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="mi">15</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">B9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E2</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span>
<span class="w">            </span><span class="mi">85</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">5</span><span class="nx">B</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">E</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">F</span><span class="w"> </span><span class="nx">E9</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">        </span><span class="err">$</span><span class="nx">setup_environment</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="mi">55</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E5</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F6</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">53</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">FB</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">EC</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">49</span>
<span class="w">            </span><span class="mi">89</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C1</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">55</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E1</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="nx">C2</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">85</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E5</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">3</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">03</span><span class="w"> </span><span class="mi">3</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">05</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">22</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E1</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E1</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">45</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">35</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span>
<span class="w">            </span><span class="nx">C0</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">25</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">29</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">E3</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DA</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span>
<span class="w">            </span><span class="mi">89</span><span class="w"> </span><span class="nx">DE</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">3</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">03</span>
<span class="w">            </span><span class="mi">7</span><span class="nx">D</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="mi">39</span><span class="w"> </span><span class="mi">05</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">22</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="nx">EC</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">B9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="nx">F3</span><span class="w"> </span><span class="nx">A5</span>
<span class="w">            </span><span class="nx">B1</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EC</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">65</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C8</span><span class="w"> </span><span class="mi">5</span><span class="nx">B</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">E</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="nx">C3</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">        </span><span class="err">$</span><span class="nx">make_configuration</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span>
<span class="w">            </span><span class="mi">41</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">FE</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">55</span><span class="w"> </span><span class="mi">53</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">EC</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">88</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="nx">EB</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BA</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="nx">F0</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">B9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">49</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C2</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">66</span><span class="w"> </span><span class="nx">C7</span><span class="w"> </span><span class="mi">00</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="mi">40</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span>
<span class="w">            </span><span class="nx">E6</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">75</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="mi">88</span><span class="w"> </span><span class="nx">D8</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">F2</span><span class="w"> </span><span class="nx">AE</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="nx">D1</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="nx">FF</span><span class="w"> </span><span class="nx">C9</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">59</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">83</span><span class="w"> </span><span class="nx">C1</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">63</span><span class="w"> </span><span class="nx">F9</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C5</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="mi">84</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">D</span><span class="w"> </span><span class="mi">78</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span>
<span class="w">            </span><span class="mi">63</span><span class="w"> </span><span class="nx">D3</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">C6</span><span class="w"> </span><span class="mi">00</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="mi">48</span><span class="w"> </span><span class="mi">85</span><span class="w"> </span><span class="nx">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">74</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">0</span><span class="nx">F</span><span class="w"> </span><span class="nx">B7</span><span class="w"> </span><span class="mi">54</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="nx">B</span><span class="w"> </span><span class="mi">7</span><span class="nx">C</span><span class="w"> </span><span class="mi">24</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">C1</span><span class="w"> </span><span class="nx">BE</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">DF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">EF</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span>
<span class="w">            </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E7</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">4</span><span class="nx">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">F7</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="nx">E6</span><span class="w"> </span><span class="nx">B9</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">FC</span><span class="w"> </span><span class="nx">F3</span><span class="w"> </span><span class="nx">A5</span>
<span class="w">            </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="nx">C4</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="mi">5</span><span class="nx">B</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">C</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">D</span><span class="w"> </span><span class="mi">41</span><span class="w"> </span><span class="mi">5</span><span class="nx">E</span><span class="w"> </span><span class="nx">C3</span><span class="w"> </span><span class="nx">BF</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E8</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="p">??</span><span class="w"> </span><span class="nx">E9</span>
<span class="w">        </span><span class="p">}</span>

<span class="w">    </span><span class="nx">condition</span><span class="p">:</span>
<span class="w">        </span><span class="nx">uint32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x4</span><span class="mi">64</span><span class="nx">C457F</span><span class="w"> </span><span class="k">and</span>
<span class="w">        </span><span class="p">(</span>
<span class="w">            </span><span class="err">$</span><span class="nx">setup_environment</span>
<span class="w">        </span><span class="p">)</span><span class="w"> </span><span class="k">and</span>
<span class="w">        </span><span class="p">(</span>
<span class="w">            </span><span class="nx">all</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="p">(</span><span class="err">$</span><span class="nx">find_files_p</span><span class="o">*</span><span class="p">)</span>
<span class="w">        </span><span class="p">)</span><span class="w"> </span><span class="k">and</span>
<span class="w">        </span><span class="p">(</span>
<span class="w">            </span><span class="nx">all</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="p">(</span><span class="err">$</span><span class="nx">encrypt_files_p</span><span class="o">*</span><span class="p">)</span>
<span class="w">        </span><span class="p">)</span><span class="w"> </span><span class="k">and</span>
<span class="w">        </span><span class="p">(</span>
<span class="w">            </span><span class="err">$</span><span class="nx">make_configuration</span>
<span class="w">        </span><span class="p">)</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="nl">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">elastic</span><span class="o">/</span><span class="n">protections</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="k">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">rules</span><span class="o">/</span><span class="n">Linux_Ransomware_RedAlert</span><span class="p">.</span><span class="n">yar</span><span class="o">**</span>

<span class="k">rule</span><span class="w"> </span><span class="n">Linux_Ransomware_RedAlert_39642d52</span><span class="w"> </span><span class="err">{</span>
<span class="w">    </span><span class="nl">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Elastic Security&quot;</span>
<span class="w">        </span><span class="n">id</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;39642d52-0a4b-48d5-bb62-8f37beb4dc6a&quot;</span>
<span class="w">        </span><span class="n">fingerprint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;744524ee2ae9e3e232f15b0576cdab836ac0fe3c9925eab66ed8c6b0be3f23d7&quot;</span>
<span class="w">        </span><span class="n">creation_date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;2022-07-06&quot;</span>
<span class="w">        </span><span class="n">last_modified</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;2022-08-16&quot;</span>
<span class="w">        </span><span class="n">threat_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Linux.Ransomware.RedAlert&quot;</span>
<span class="w">        </span><span class="n">reference_sample</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09&quot;</span>
<span class="w">        </span><span class="n">severity</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="mi">100</span>
<span class="w">        </span><span class="n">arch_context</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;x86&quot;</span>
<span class="w">        </span><span class="n">scan_context</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;file, memory&quot;</span>
<span class="w">        </span><span class="n">license</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Elastic License v2&quot;</span>
<span class="w">        </span><span class="n">os</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;linux&quot;</span>
<span class="w">    </span><span class="nl">strings</span><span class="p">:</span>
<span class="w">        </span><span class="err">$</span><span class="n">str_ransomnote</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\% REDALERT UNIQUE IDENTIFIER START \\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%\\%&quot;</span><span class="w"> </span><span class="nf">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="err">$</span><span class="n">str_print</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;\t\t\t########\n\t\t\t[ N13V ]\n\t\t\t########\n\n&quot;</span><span class="w"> </span><span class="nf">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="err">$</span><span class="n">str_arg</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;[info] Catch -t argument. Check encryption time&quot;</span><span class="w"> </span><span class="nf">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="err">$</span><span class="n">str_ext</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;.crypt658&quot;</span><span class="w"> </span><span class="nf">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="err">$</span><span class="n">byte_checkvm</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">{</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">8</span><span class="n">B</span><span class="w"> </span><span class="mi">14</span><span class="w"> </span><span class="n">DD</span><span class="w"> </span><span class="vm">??</span><span class="w"> </span><span class="vm">??</span><span class="w"> </span><span class="vm">??</span><span class="w"> </span><span class="vm">??</span><span class="w"> </span><span class="mi">31</span><span class="w"> </span><span class="n">C0</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">83</span><span class="w"> </span><span class="n">C9</span><span class="w"> </span><span class="n">FF</span><span class="w"> </span><span class="n">FC</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="n">EE</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="n">D7</span><span class="w"> </span><span class="n">F2</span><span class="w"> </span><span class="n">AE</span><span class="w"> </span><span class="mi">4</span><span class="n">C</span><span class="w"> </span><span class="mi">89</span><span class="w"> </span><span class="n">E7</span><span class="w"> </span><span class="mi">48</span><span class="w"> </span><span class="n">F7</span><span class="w"> </span><span class="n">D1</span><span class="w"> </span><span class="n">E8</span><span class="w"> </span><span class="err">}</span>
<span class="w">    </span><span class="k">condition</span><span class="err">:</span>
<span class="w">        </span><span class="mi">3</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="p">(</span><span class="err">$</span><span class="n">str_</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">(</span><span class="err">$</span><span class="n">byte_checkvm</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="err">$</span><span class="n">str_print</span><span class="p">)</span>
<span class="err">}</span>
</code></pre></div>

<h3>Conti</h3>
<div class="codehilite"><pre><span></span><code>**https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_Conti.yar**

rule Linux_Ransomware_Conti_53a640f4 {
    meta:
        author = &quot;Elastic Security&quot;
        id = &quot;53a640f4-905c-4b0d-ac4a-9ffdffd74253&quot;
        fingerprint = &quot;d81309f83494b0635444234c514fda0edc05a11ac861c769a007f9f558def148&quot;
        creation_date = &quot;2022-09-22&quot;
        last_modified = &quot;2022-10-18&quot;
        threat_name = &quot;Linux.Ransomware.Conti&quot;
        reference_sample = &quot;8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201&quot;
        severity = 100
        arch_context = &quot;x86&quot;
        scan_context = &quot;file, memory&quot;
        license = &quot;Elastic License v2&quot;
        os = &quot;linux&quot;
    strings:
        $a = { 48 D3 EA 48 89 D0 83 E0 01 48 85 C0 0F 95 C0 84 C0 74 0B 8B }
    condition:
        all of them
}
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="o">.</span><span class="n">trellix</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">en</span><span class="o">-</span><span class="n">us</span><span class="o">/</span><span class="n">about</span><span class="o">/</span><span class="n">newsroom</span><span class="o">/</span><span class="n">stories</span><span class="o">/</span><span class="n">research</span><span class="o">/</span><span class="n">conti</span><span class="o">-</span><span class="n">group</span><span class="o">-</span><span class="n">targets</span><span class="o">-</span><span class="n">esxi</span><span class="o">-</span><span class="n">hypervisors</span><span class="o">-</span><span class="n">with</span><span class="o">-</span><span class="n">its</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">variant</span><span class="o">.</span><span class="n">html</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">RANSOM_Conti_Linux_Apr2022</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">ransomware</span>
<span class="p">{</span>
<span class="w">    </span><span class="n">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Detects Conti Linux variant&quot;</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Marc Elias | Trellix ATR Team&quot;</span>
<span class="w">        </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2022-04-06&quot;</span>
<span class="w">    </span><span class="n">strings</span><span class="p">:</span>
<span class="w">        </span><span class="o">$</span><span class="n">str1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;.conti&quot;</span><span class="w"> </span><span class="n">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="o">$</span><span class="n">str2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;All of your files are currently encrypted by CONTI strain&quot;</span><span class="w"> </span><span class="n">ascii</span><span class="w"> </span><span class="n">fullword</span>
<span class="w">        </span><span class="o">$</span><span class="n">str3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;http://contirec&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">    </span><span class="n">condition</span><span class="p">:</span>
<span class="w">        </span><span class="n">uint32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x464c457f</span><span class="w"> </span><span class="ow">and</span>
<span class="w">        </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">2</span><span class="n">MB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">        </span><span class="n">all</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">Conti</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file Conti&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;8b57e96e90cd95fc2ba421204b482005fe41c28f506730b6148bcef8316a3201&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Something went wrong! - InitializeEncryptor &quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Something went wrong! - RSA_public_encrypt!&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Process with PID </span><span class="si">%d</span><span class="s2"> was killed&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;./locker --path /path&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;To prove that we REALLY CAN get your data back&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Starting encryption - CONTI POC&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;All of your files are currently encrypted&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;download and install TOR browser&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s12</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DON&#39;T TRY TO IGNORE us&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s13</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;DONT&#39;T TRY TO RECOVER&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">100</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">4</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>BlackBasta</h3>
<div class="codehilite"><pre><span></span><code>**https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_BlackBasta.yar**

rule Linux_Ransomware_BlackBasta_96eb3f20 {
    meta:
        author = &quot;Elastic Security&quot;
        id = &quot;96eb3f20-9c40-4d40-8a6c-568a51c52d4d&quot;
        fingerprint = &quot;5146ad9def7ccaba4b4896f345b0950c587ad5f96a106ec461caeb028d809ead&quot;
        creation_date = &quot;2022-08-06&quot;
        last_modified = &quot;2022-08-16&quot;
        threat_name = &quot;Linux.Ransomware.BlackBasta&quot;
        reference_sample = &quot;96339a7e87ffce6ced247feb9b4cb7c05b83ca315976a9522155bad726b8e5be&quot;
        severity = 100
        arch_context = &quot;x86&quot;
        scan_context = &quot;file, memory&quot;
        license = &quot;Elastic License v2&quot;
        os = &quot;linux&quot;
    strings:
        $a1 = &quot;Done time: %.4f seconds, encrypted: %.4f gb&quot; ascii fullword
        $a2 = &quot;Your data are stolen and encrypted&quot; ascii fullword
        $a3 = &quot;fileEncryptionPercent&quot; ascii fullword
        $a4 = &quot;fileQueueLocker&quot; ascii fullword
        $a5 = &quot;totalBytesEncrypted&quot; ascii fullword
        $seq_encrypt_block = { 41 56 31 D2 41 55 41 54 49 89 FE 55 53 48 89 F5 49 63 D8 4C }
        $seq_encrypt_thread = { 4C 8B 74 24 ?? 31 DB 45 31 FF 4D 8B 6E ?? 49 83 FD ?? 0F 87 ?? ?? ?? ?? 31 C0 4D 39 EF 0F 82 ?? ?? ?? ?? 48 01 C3 4C 39 EB 0F 83 ?? ?? ?? ?? }
    condition:
        3 of ($a*) and 1 of ($seq*)
}
</code></pre></div>

<h3>Sodinokibi | REVil</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">Sodinokibi</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file Sodinokib&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Usage example: elf.exe --path /vmfs/ --threads 5 &quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;uname -a &amp;&amp; echo </span><span class="se">\&quot;</span><span class="s2"> | </span><span class="se">\&quot;</span><span class="s2"> &amp;&amp; hostname&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli --formatter=csv&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;vm process list | awk -F&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;[</span><span class="si">%s</span><span class="s2">] already encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">%d</span><span class="s2">:</span><span class="si">%d</span><span class="s2">: Comment not allowed here&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;without --path encrypts current dir&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s17</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;File [</span><span class="si">%s</span><span class="s2">] was NOT encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s19</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Using silent mode, if you on esxi - stop VMs manualy&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s20</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;File [</span><span class="si">%s</span><span class="s2">] was encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">300</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">4</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code>**https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_Sodinokibi.yar**

rule Linux_Ransomware_Sodinokibi_2883d7cd {
    meta:
        author = &quot;Elastic Security&quot;
        id = &quot;2883d7cd-fd3b-47a5-9283-a40335172c62&quot;
        fingerprint = &quot;d6570a8e9358cef95388a72b2e7f747ee5092620c4f92a4b4e6c1bb277e1cb36&quot;
        creation_date = &quot;2022-01-05&quot;
        last_modified = &quot;2022-01-26&quot;
        threat_name = &quot;Linux.Ransomware.Sodinokibi&quot;
        reference_sample = &quot;a322b230a3451fd11dcfe72af4da1df07183d6aaf1ab9e062f0e6b14cf6d23cd&quot;
        severity = 100
        arch_context = &quot;x86&quot;
        scan_context = &quot;file, memory&quot;
        license = &quot;Elastic License v2&quot;
        os = &quot;linux&quot;
    strings:
        $a = { 85 08 FF FF FF 48 01 85 28 FF FF FF 48 8B 85 08 FF FF FF 48 29 85 20 FF }
    condition:
        all of them
}
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">cybersecurity</span><span class="o">.</span><span class="n">att</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">blogs</span><span class="o">/</span><span class="n">labs</span><span class="o">-</span><span class="n">research</span><span class="o">/</span><span class="n">revils</span><span class="o">-</span><span class="n">new</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">version</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">REvilLinux</span>
<span class="p">{</span>
<span class="w">    </span><span class="n">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;AlienLabs&quot;</span>
<span class="w">        </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;REvil Linux&quot;</span>
<span class="w">        </span><span class="n">sha256</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4&quot;</span>
<span class="w">    </span><span class="n">strings</span><span class="p">:</span>
<span class="w">        </span><span class="o">$</span><span class="k">func</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;File [</span><span class="si">%s</span><span class="s2">] was NOT encrypted&quot;</span>
<span class="w">        </span><span class="o">$</span><span class="n">sleep</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli&quot;</span>
<span class="w">        </span><span class="o">$</span><span class="n">re</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;[</span><span class="si">%s</span><span class="s2">] is protected by os&quot;</span>
<span class="w">        </span><span class="o">$</span><span class="n">a3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Error create note in dir </span><span class="si">%s</span><span class="s2">&quot;</span>
<span class="w">    </span><span class="n">condition</span><span class="p">:</span>
<span class="w">        </span><span class="n">uint32</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x464C457F</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>BlackMatter | DarkSide</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">DarkSide_BlackMatter</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file DarkSide_BlackMatter&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Unable To Get Process List, &quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::esxi_utils::get_process_list&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::master_proc::process_file_encryption&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;app::file_encrypter::process_file&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;execvp failure&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">6000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">3</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">www</span><span class="o">.</span><span class="n">recordedfuture</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">blackmatter</span><span class="o">-</span><span class="n">ransomware</span><span class="o">-</span><span class="n">protection</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">MAL_BlackMatter_Linux</span>
<span class="p">{</span>
<span class="w">    </span><span class="n">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">LKAYE</span><span class="p">,</span><span class="w"> </span><span class="n">Insikt</span><span class="w"> </span><span class="n">Group</span><span class="p">,</span><span class="w"> </span><span class="n">Recorded</span><span class="w"> </span><span class="n">Future</span><span class="err">”</span>
<span class="w">        </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="mi">2021</span><span class="o">-</span><span class="mi">07</span><span class="o">-</span><span class="mi">28</span><span class="err">”</span>
<span class="w">        </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">Rule</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">detect</span><span class="w"> </span><span class="n">BlackMatter</span><span class="w"> </span><span class="n">ransomware</span><span class="w"> </span><span class="n">Linux</span><span class="w"> </span><span class="n">payload</span><span class="err">”</span>
<span class="w">        </span><span class="n">version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="mf">1.0</span><span class="err">”</span>
<span class="w">        </span><span class="n">RF_MALWARE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">BlackMatter</span><span class="w"> </span><span class="n">Ransomware</span><span class="err">”</span>
<span class="w">    </span><span class="n">strings</span><span class="p">:</span>
<span class="w">        </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">Another</span><span class="w"> </span><span class="n">Instance</span><span class="w"> </span><span class="n">Currently</span><span class="w"> </span><span class="n">Running</span><span class="o">...</span><span class="err">”</span>
<span class="w">        </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">Removing</span><span class="w"> </span><span class="n">Self</span><span class="w"> </span><span class="n">Executable</span><span class="o">...</span><span class="err">”</span>
<span class="w">        </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">web_reporter</span><span class="p">::</span><span class="n">main_sender_proc</span><span class="p">()</span><span class="err">”</span>
<span class="w">        </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">NO</span><span class="w"> </span><span class="n">stat</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="err">“</span>
<span class="w">        </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="n">Please</span><span class="p">,</span><span class="w"> </span><span class="n">just</span><span class="w"> </span><span class="n">wait</span><span class="o">...</span><span class="err">”</span>
<span class="w">        </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="err">“</span><span class="o">.</span><span class="n">cfgETD</span><span class="err">”</span>
<span class="w">    </span><span class="n">condition</span><span class="p">:</span>
<span class="w">        </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457F</span><span class="w"> </span><span class="ow">and</span>
<span class="w">        </span><span class="n">filesize</span><span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="mi">1900</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">        </span><span class="n">all</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>Defray777 | RansomEXX</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">ditekshen</span><span class="o">/</span><span class="n">detection</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">ce5df37e50b52ddb58dc7ff9b1ab9e011822f68c</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">malware</span><span class="o">.</span><span class="n">yar</span><span class="c1">#L2536**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">MALWARE_Linux_RansomExx</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="n">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ditekshen&quot;</span>
<span class="w">        </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Detects RansomEXX ransomware&quot;</span>
<span class="w">        </span><span class="n">clamav_sig</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;MALWARE.Linux.Ransomware.RansomEXX&quot;</span>
<span class="w">    </span><span class="n">strings</span><span class="p">:</span>
<span class="w">        </span><span class="o">$</span><span class="n">c1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;crtstuff.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;cryptor.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ransomware.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;logic.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;enum_files.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;readme.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">c7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ctr_drbg.c&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">        </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;regenerate_pre_data&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;g_RansomHeader&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;CryptOneBlock&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;RansomLogic&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;CryptOneFile&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;encrypt_worker&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;list_dir&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">        </span><span class="o">$</span><span class="n">s8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ctr_drbg_update_internal&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">    </span><span class="n">condition</span><span class="p">:</span>
<span class="w">        </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="p">(</span><span class="mi">5</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">s</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="mi">6</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">s</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">(</span><span class="mi">3</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">c</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">s</span><span class="o">*</span><span class="p">)))</span>
<span class="p">}</span>
</code></pre></div>

<h3>HelloKitty | ViceSociety</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">HelloKitty</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file HelloKitty&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;work.log&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Error InitAPI !!!&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;error encrypt: </span><span class="si">%s</span><span class="s2"> rename back:</span><span class="si">%s</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s10</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;No Files Found !!!&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">%d</span><span class="s2"> manual !!!&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s12</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Log closed :</span><span class="si">%s</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s13</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;</span><span class="si">%ld</span><span class="s2"> - Files Found  &quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s15</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Total VM run on host:&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">200</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">4</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">advanced</span><span class="o">-</span><span class="n">threat</span><span class="o">-</span><span class="n">research</span><span class="o">/</span><span class="n">Yara</span><span class="o">-</span><span class="n">Rules</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="k">master</span><span class="o">/</span><span class="n">ransomware</span><span class="o">/</span><span class="n">RANSOM_Linux_HelloKitty0721</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">ransom_Linux_HelloKitty_0721</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;rule to detect Linux variant of the Hello Kitty Ransomware&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Christiaan @ ATR&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2021-07-19&quot;</span>
<span class="w">      </span><span class="n">Rule_Version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;v1&quot;</span>
<span class="w">      </span><span class="n">malware_type</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ransomware&quot;</span>
<span class="w">      </span><span class="n">malware_family</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Ransom:Linux/HelloKitty&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041&quot;</span>
<span class="w">      </span><span class="n">hash2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed&quot;</span>

<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">v1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill -t=force -w=</span><span class="si">%d</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill -t=hard -w=</span><span class="si">%d</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill -t=soft -w=</span><span class="si">%d</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;error encrypt: </span><span class="si">%s</span><span class="s2"> rename back:</span><span class="si">%s</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Total VM run on host:&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;error lock_exclusively:</span><span class="si">%s</span><span class="s2"> owner pid:</span><span class="si">%d</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Error open </span><span class="si">%s</span><span class="s2"> in try_lock_exclusively&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Mode:</span><span class="si">%d</span><span class="s2">  Verbose:</span><span class="si">%d</span><span class="s2"> Daemon:</span><span class="si">%d</span><span class="s2"> AESNI:</span><span class="si">%d</span><span class="s2"> RDRAND:</span><span class="si">%d</span><span class="s2"> &quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v10</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;pthread_cond_signal() error&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">v11</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ChaCha20 for x86_64, CRYPTOGAMS by &lt;appro@openssl.org&gt;&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="p">(</span><span class="w"> </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">200</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span><span class="w"> </span><span class="p">)</span>
<span class="w">      </span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">all</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span><span class="w"> </span><span class="p">)</span>
<span class="p">}</span>
</code></pre></div>

<div class="codehilite"><pre><span></span><code>**https://github.com/ditekshen/detection/blob/ce5df37e50b52ddb58dc7ff9b1ab9e011822f68c/yara/malware.yar#L7707**

rule MALWARE_Linux_HelloKitty {
    meta:
        author = &quot;ditekSHen&quot;
        description = &quot;Detects Linux version of HelloKitty ransomware&quot;
    strings:
        $s1 = &quot;exec_pipe:%s&quot; ascii
        $s2 = &quot;Error InitAPI !!!&quot; fullword ascii
        $s3 = &quot;No Files Found !!!&quot; fullword ascii
        $s4 = &quot;Error open log File:%s&quot; fullword ascii
        $s5 = &quot;%ld - Files Found  &quot; fullword ascii
        $s6 = &quot;Total VM run on host:&quot; fullword ascii
        $s7 = &quot;error:%d open:%s&quot; fullword ascii
        $s8 = &quot;work.log&quot; fullword ascii
        $s9 = &quot;esxcli vm process kill&quot; ascii
        $s10 = &quot;readdir64&quot; fullword ascii
        $s11 = &quot;%s_%d.block&quot; fullword ascii
        $s12 = &quot;EVP_EncryptFinal_ex&quot; fullword ascii
        $s13 = &quot;.README_TO_RESTORE&quot; fullword ascii
        $m1 = &quot;COMPROMISED AND YOUR SENSITIVE PRIVATE INFORMATION WAS STOLEN&quot; ascii nocase
        $m2 = &quot;damage them without special software&quot; ascii nocase
        $m3 = &quot;leaking or being sold&quot; ascii nocase
        $m4 = &quot;Data will be Published and/or Sold&quot; ascii nocase
    condition:
        uint16(0) == 0x457f and (6 of ($s*) or (2 of ($m*) and 2 of ($s*)) or 8 of them)
}
</code></pre></div>

<h3>Royal</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">Royal</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;royal_linux - file Royal&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;If you are reading this, it means that your system were hit by Royal ransomware.&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;.onion&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;.royal_u&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;.royal_w&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">7000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">2</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>Blacksuit</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">BlackSuit</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file BlackSuit&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">e1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">e2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">      </span><span class="o">$</span><span class="n">r1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;blacksuit&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">r2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;BlackSuit&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">      </span><span class="o">$</span><span class="n">w1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Terned off vmsyslog&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">w2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;ps -Cc|grep vmsyslogd &gt; PS_syslog_&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">w3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Entropy collected!&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">w4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Drop readme failed: </span><span class="si">%s</span><span class="s2">(</span><span class="si">%d</span><span class="s2">)&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">    </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span>
<span class="w">    </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">8000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">    </span><span class="p">(</span><span class="mi">1</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">e</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">r</span><span class="o">*</span><span class="p">)</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">w</span><span class="o">*</span><span class="p">))</span>
<span class="p">}</span>
</code></pre></div>

<h3>Hive</h3>
<div class="codehilite"><pre><span></span><code>**https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_Hive.yar**

rule Linux_Ransomware_Hive_bdc7de59 {
    meta:
        author = &quot;Elastic Security&quot;
        id = &quot;bdc7de59-bf12-461f-99e0-ec2532ace4e9&quot;
        fingerprint = &quot;415ef589a1c2da6b16ab30fb68f938a9ee7917f5509f73aa90aeec51c10dc1ff&quot;
        creation_date = &quot;2022-01-05&quot;
        last_modified = &quot;2022-01-26&quot;
        threat_name = &quot;Linux.Ransomware.Hive&quot;
        reference_sample = &quot;713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771&quot;
        severity = 100
        arch_context = &quot;x86&quot;
        scan_context = &quot;file, memory&quot;
        license = &quot;Elastic License v2&quot;
        os = &quot;linux&quot;
    strings:
        $a = { 40 03 4C 39 C1 73 3A 4C 89 84 24 F0 00 00 00 48 89 D3 48 89 CF 4C }
    condition:
        all of them
}
</code></pre></div>

<h3>GonnaCry</h3>
<div class="codehilite"><pre><span></span><code>**https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Linux_Ransomware_Gonnacry.yar**

rule Linux_Ransomware_Gonnacry_53c3832d {
    meta:
        author = &quot;Elastic Security&quot;
        id = &quot;53c3832d-ceff-407d-920b-7b6442688fa9&quot;
        fingerprint = &quot;7d93c26c9e069af5cef964f5747104ba6d1d0d030a1f6b1c377355223c5359a1&quot;
        creation_date = &quot;2021-01-12&quot;
        last_modified = &quot;2021-09-16&quot;
        threat_name = &quot;Linux.Ransomware.Gonnacry&quot;
        reference_sample = &quot;f5de75a6db591fe6bb6b656aa1dcfc8f7fe0686869c34192bfa4ec092554a4ac&quot;
        severity = 100
        arch_context = &quot;x86&quot;
        scan_context = &quot;file, memory&quot;
        license = &quot;Elastic License v2&quot;
        os = &quot;linux&quot;
    strings:
        $a = { 55 48 89 E5 48 83 EC 10 48 89 7D F8 EB 56 48 8B 45 F8 48 8B }
    condition:
        all of them
}
</code></pre></div>

<h3>Erebus</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="nl">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">Yara</span><span class="o">-</span><span class="n">Rules</span><span class="o">/</span><span class="n">rules</span><span class="o">/</span><span class="k">blob</span><span class="o">/</span><span class="n">master</span><span class="o">/</span><span class="n">malware</span><span class="o">/</span><span class="n">RANSOM_Erebus</span><span class="p">.</span><span class="n">yar</span><span class="o">**</span>

<span class="k">rule</span><span class="w"> </span><span class="nl">Erebus</span><span class="p">:</span><span class="w"> </span><span class="n">ransom</span>
<span class="err">{</span>
<span class="w">    </span><span class="nl">meta</span><span class="p">:</span>
<span class="w">        </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Erebus Ransomware&quot;</span>
<span class="w">        </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;Joan Soriano / @joanbtl&quot;</span>
<span class="w">        </span><span class="nc">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;2017-06-23&quot;</span>
<span class="w">        </span><span class="n">version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;1.0&quot;</span>
<span class="w">        </span><span class="n">MD5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;27d857e12b9be5d43f935b8cc86eaabf&quot;</span>
<span class="w">        </span><span class="n">SHA256</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f&quot;</span>
<span class="w">        </span><span class="n">ref1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/&quot;</span>
<span class="w">    </span><span class="nl">strings</span><span class="p">:</span>
<span class="w">        </span><span class="err">$</span><span class="n">a</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;/{5f58d6f0-bb9c-46e2-a4da-8ebc746f24a5}//log.log&quot;</span>
<span class="w">        </span><span class="err">$</span><span class="n">b</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ss">&quot;EREBUS IS BEST.&quot;</span>
<span class="w">    </span><span class="k">condition</span><span class="err">:</span>
<span class="w">        </span><span class="ow">all</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="n">them</span>
<span class="err">}</span>
</code></pre></div>

<h3>eChOraix | QNAPCrypt</h3>
<div class="codehilite"><pre><span></span><code><span class="n">**https://github.com/intezer/yara-rules/blob/master/QNAPCrypt.yar**</span>

<span class="n">rule QnapCrypt</span>
<span class="n">{   </span>
<span class="n">    meta:</span>
<span class="n">        copyright = &quot;Intezer Labs&quot;</span>
<span class="n">        author = &quot;Intezer Labs&quot;</span>
<span class="n">        reference = &quot;https://www.intezer.com&quot;</span>

<span class="n">    strings:</span>
<span class="n">        $a = &quot;Do NOT remove this file and NOT remove last line in this file!&quot; nocase</span>
<span class="n">        $b0 = &quot;main.writemessage&quot;</span>
<span class="n">        $b1 = &quot;inf.1st.3ds.3fr.4db.4dd.602.a4p.a5w.abf.abw.act.adr.aep.aes.aex.aim.alx.ans.apk.apt.arj.aro.arw.asa.asc.ase.asp.asr.att.aty.avi.awm.awp.awt.aww.axd.bar.bat.bay.bc6.bc7.big.bik.bin.bit.bkf.bkp.bml.bok.bpw.bsa.bwp.bz2.c++.cab.cas.cat.cdf.cdr.cer.cfg.cfm.cfr.cha.chm.cms.con.cpg.cpp.cr2.crl.crp.crt.crw.csp.csr.css.csv.cxx.dap.das.dat.db0.dba.dbf.dbm.dbx.dcr.der.dll.dml.dmp.dng.doc.dot.dwg.dwk.dwt.dxf.dxg.ece.eml.epk.eps.erf.esm.ewp.far.fdb.fit.flv.fmp.fos.fpk.fsh.fwp.gdb.gho.gif.gne.gpg.gsp.gxk.hdm.hkx.htc.htm.htx.hxs.idc.idx.ifx.iqy.iso.itl.itm.iwd.iwi.jcz.jpe.jpg.jsp.jss.jst.jvs.jws.kdb.kdc.key.kit.ksd.lbc.lbf.lrf.ltx.lvl.lzh.m3u.m4a.map.max.mdb.mdf.mef.mht.mjs.mlx.mov.moz.mp3.mpd.mpp.mvc.mvr.myo.nba.nbf.ncf.ngc.nod.nrw.nsf.ntl.nv2.nxg.nzb.oam.odb.odc.odm.odp.ods.odt.ofx.olp.orf.oth.p12.p7b.p7c.pac.pak.pdb.pdd.pdf.pef.pem.pfx.pgp.php.png.pot.ppj.pps.ppt.prf.pro.psd.psk.psp.pst.psw.ptw.ptx.pub.qba.qbb.qbo.qbw.qbx.qdf.qfx.qic.qif.qrm.r3d.raf.rar.raw.re4.rim.rjs.rsn.rss.rtf.rw2.rw3.rwl.rwp.saj.sav.sdb.sdc.sdf.sht.sid.sie.sis.sko.slm.snx.spc.sql.sr2.src.srf.srw.ssp.stc.stl.stm.stp.sum.svc.svg.svr.swz.sxc.t12.t13.tar.tax.tbl.tbz.tcl.tgz.tib.tor.tpl.txt.ucf.upk.url.vbd.vbo.vcf.vdf.vdi.vdw.vlp.vmx.vpk.vrt.vtf.w3x.wav.wb2.wbs.wdb.web.wgp.wgt.wma.wml.wmo.wmv.woa.wpd.wpp.wps.wpx.wrf.x3f.x_t.xbl.xbm.xht.xla.xlk.xll.xlm.xls.xlt.xlw.xml.xpd.xpm.xps.xss.xul.xwd.xws.xxx.zfo.zip.zul.zvz&quot;</span>
<span class="n">        $b2 = &quot;main.makesecret&quot;</span>
<span class="n">        $b3 = &quot;main.chDir&quot;</span>
<span class="n">        $b4 = &quot;main.writemessage&quot;</span>
<span class="n">        $b5 = &quot;main.randSeq&quot;</span>
<span class="n">        $b6 = &quot;main.encrypt&quot;</span>
<span class="n">    condition:</span>
<span class="n">        $a or 2 of ($b*)</span>
<span class="n">}</span>
</code></pre></div>

<h3>Cylance Ransomware</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>
<span class="n">rule</span><span class="w"> </span><span class="n">Cylance</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file Cylance&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">s1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Usage: </span><span class="si">%s</span><span class="s2"> /path/to/be/encrypted&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Unexpected error </span><span class="si">%d</span><span class="s2"> on netlink descriptor </span><span class="si">%d</span><span class="s2"> (address family </span><span class="si">%d</span><span class="s2">).&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;you will lose your time and data&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;@onionmail.com&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;relocation processing: </span><span class="si">%s%s</span><span class="s2">&quot;</span><span class="w"> </span><span class="n">fullword</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">s6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Its just a business.&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">3000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">4</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">them</span>
<span class="p">}</span>
</code></pre></div>

<h3>RTM Locker</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="nv">https</span>:<span class="o">//</span><span class="nv">www</span>.<span class="nv">uptycs</span>.<span class="nv">com</span><span class="o">/</span><span class="nv">blog</span><span class="o">/</span><span class="nv">rtm</span><span class="o">-</span><span class="nv">locker</span><span class="o">-</span><span class="nv">ransomware</span><span class="o">-</span><span class="nv">as</span><span class="o">-</span><span class="nv">a</span><span class="o">-</span><span class="nv">service</span><span class="o">-</span><span class="nv">raas</span><span class="o">-</span><span class="nv">linux</span><span class="o">**</span>

<span class="nv">rule</span><span class="w"> </span><span class="nv">Uptycs_Ransomware_RTM_Locker</span>
{
<span class="w">    </span><span class="nv">meta</span>:
<span class="w">        </span><span class="nv">malware_name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;RANSOMWARE&quot;</span>
<span class="w">        </span><span class="nv">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Ransomware is a malware that encrypts sensitive information on your system and asks for ransom in exchange for restoring the encrypted data.&quot;</span>
<span class="w">        </span><span class="nv">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Uptycs Inc&quot;</span>
<span class="w">        </span><span class="nv">version</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;1&quot;</span>
<span class="w">    </span><span class="nv">strings</span>:
<span class="w">        </span>$<span class="nv">Ransomware_RTM_Locker_0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process list&quot;</span><span class="w">  </span><span class="nv">ascii</span><span class="w"> </span><span class="nv">wide</span>
<span class="w">        </span>$<span class="nv">Ransomware_RTM_Locker_1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;vmlist.tmp.txt&quot;</span><span class="w">  </span><span class="nv">ascii</span><span class="w"> </span><span class="nv">wide</span>
<span class="w">        </span>$<span class="nv">Ransomware_RTM_Locker_2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;esxcli vm process kill&quot;</span><span class="w">  </span><span class="nv">ascii</span><span class="w"> </span><span class="nv">wide</span>
<span class="w">        </span>$<span class="nv">Ransomware_RTM_Locker_3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;!!! Warning!!!&quot;</span><span class="w">  </span><span class="nv">ascii</span><span class="w"> </span><span class="nv">wide</span>
<span class="w">        </span>$<span class="nv">Ransomware_RTM_Locker_4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Your network is infected by the RTM Locker command&quot;</span><span class="w">  </span><span class="nv">ascii</span><span class="w"> </span><span class="nv">wide</span>
<span class="w">    </span><span class="nv">condition</span>:
<span class="w">        </span><span class="nv">all</span><span class="w"> </span><span class="nv">of</span><span class="w"> </span><span class="ss">(</span>$<span class="nv">Ransomware_RTM_Locker</span><span class="o">*</span><span class="ss">)</span>
}
</code></pre></div>

<h3>Polaris</h3>
<div class="codehilite"><pre><span></span><code><span class="o">**</span><span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">github</span><span class="o">.</span><span class="n">com</span><span class="o">/</span><span class="n">signalblur</span><span class="o">/</span><span class="n">detection</span><span class="o">-</span><span class="n">artifacts</span><span class="o">/</span><span class="n">blob</span><span class="o">/</span><span class="n">main</span><span class="o">/</span><span class="n">yara</span><span class="o">/</span><span class="n">linux_malware</span><span class="o">.</span><span class="n">yar</span><span class="o">**</span>

<span class="n">rule</span><span class="w"> </span><span class="n">Polaris</span><span class="w"> </span><span class="p">{</span>
<span class="w">   </span><span class="n">meta</span><span class="p">:</span>
<span class="w">      </span><span class="n">description</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;linux_ransomware - file Polaris&quot;</span>
<span class="w">      </span><span class="n">author</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;signalblur&quot;</span>
<span class="w">      </span><span class="n">reference</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Linux Research&quot;</span>
<span class="w">      </span><span class="n">date</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;2023-07-17&quot;</span>
<span class="w">      </span><span class="n">hash1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;e29aa629bf492a087a17fa7ec0edb6be4b84c5c8b0798857939d8824fa91dbf9&quot;</span>
<span class="w">   </span><span class="n">strings</span><span class="p">:</span>
<span class="w">      </span><span class="o">$</span><span class="n">x1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;Inf.css.gif.htm.jpg.mjs.pdf.png.svg.xml&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;.avif.html.jpeg.json.ssh/.wasm.webp&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;PolarisRadicalReferer&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x4</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;WARNING.txt&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x5</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;polaris&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x6</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;@tutanota.com&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x7</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;@opentrash.com&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x8</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;pol.aris&quot;</span><span class="w"> </span><span class="n">ascii</span>
<span class="w">      </span><span class="o">$</span><span class="n">x9</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">&quot;!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!&quot;</span><span class="w"> </span><span class="n">ascii</span>

<span class="w">   </span><span class="n">condition</span><span class="p">:</span>
<span class="w">      </span><span class="n">uint16</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="mh">0x457f</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">filesize</span><span class="w"> </span><span class="o">&lt;</span><span class="w"> </span><span class="mi">13000</span><span class="n">KB</span><span class="w"> </span><span class="ow">and</span>
<span class="w">      </span><span class="mi">4</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="p">(</span><span class="o">$</span><span class="n">x</span><span class="o">*</span><span class="p">)</span>
<span class="p">}</span>
</code></pre></div>          
            </div>
          </div>
        </div>
      </div>
    </div>

<!-- Second Grid -->
<div class="w3-row-padding w3-light-grey w3-padding-64 w3-container">
  <div class="w3-content">
    <div class="w3-third">
      <h2 class="widget-title">Recent Posts</h4>
      
      <ul class="w3-ul w3-hoverable">
        <li class="w3-padding-16 post-item">
          <a href="/using-limacharlie-and-chatgpt-to-perform-malware-anomaly-detection" class="w3-hover-none">
            <img src="static/images/spy-camera.png" class="w3-left w3-image" width="70px" style="margin-right: 15px;">
            <div class="post-info">
              <span class="w3-small w3-left post-title">Using LimaCharlie and ChatGPT to Perform Malware Anomaly Detection</span>
              <span class="w3-small w3-left post-date">March 17, 2023</span>
            </div>
          </a>
        </li>
        
      <ul class="w3-ul w3-hoverable">
        <li class="w3-padding-16 post-item">
          <a href="/software-development-nuggets-for-security-analysts" class="w3-hover-none">
            <img src="static/images/soft-dev-blog-head.jpg" class="w3-left w3-image" width="70px" style="margin-right: 15px;">
            <div class="post-info">
              <span class="w3-small w3-left post-title">Software Development Nuggets for Security Analysts</span>
              <span class="w3-small w3-left post-date">October 29, 2022</span>
            </div>
          </a>
        </li>
        
      <ul class="w3-ul w3-hoverable">
        <li class="w3-padding-16 post-item">
          <a href="/wiresnort" class="w3-hover-none">
            <img src="static/images/pig-shark.jpg" class="w3-left w3-image" width="70px" style="margin-right: 15px;">
            <div class="post-info">
              <span class="w3-small w3-left post-title">Wireshark&#39;s little known Snort post-dissector</span>
              <span class="w3-small w3-left post-date">April 17, 2022</span>
            </div>
          </a>
        </li>
        
      </ul>
    </div>

    <div class="w3-third">
      <h2>Company Info</h2>
      <p>Signalblur Cyber Threat Intelligence is a cybersecurity company that delivers exceptional services and empowers organizations with accessible, cutting-edge solutions. Our founder brings years of experience from a Fortune 50 company and building Cyber Security Operations Centers.</p>
    </div>

    <div class="w3-third">
      <h2>Contact</h2>
      <p>For any inquiries, please email us at <a href="mailto:contact@signalblur.io">contact@signalblur.io</a></p>
        </div>
      </div>
    </div>
  </div>
</div>


<!-- Footer -->
<footer class="w3-container w3-padding-64 w3-center w3-opacity">
  <!-- Social icons -->
  <div class="w3-xlarge w3-padding-32">
    <a href="https://www.linkedin.com/in/signalblur/" target="_blank">
      <img src="static/images/linkedin.png" alt="LinkedIn" style="width: 40px; height: 40px; margin-right: 8px;">
    </a>
    <a href="https://github.com/signalblur" target="_blank">
      <img src="static/images/github.png" alt="GitHub" style="width: 40px; height: 40px; margin-right: 8px;">
    </a>
    <a rel="me" href="https://infosec.exchange/@signalblur" target="_blank">
      <img src="static/images/mastodon.svg" alt="Mastodon" style="width: 40px; height: 40px; margin-right: 8px;">
    </a>
  </div>
  <p>© 2023 <a href="https://www.signalblur.io">signalblur</a>. All rights Reserved.</p>
</footer>

</body>
</html>